Deleting a samba user: pbdedit vs. smbpasswd, what's the difference?

Both smbpasswd and pdbedit can be used for Samba user management.

Answering the question: as of Samba 4 there is no difference between these two commands. Both commands will operate on the same file - be it in smbpasswd or tdbsam format - and do the job.

Expanding on the answer:

smbpasswd is the older one. It was used to manage Samba credentials stored in the file format of the same name - smbpasswd. The default path for the file in RedHat based distros was /etc/samba/smbpasswd (to disambiguate: the program itself, the file format and the default file of that format the smbpasswd program operates on are all called smbpasswd).

pdbedit came up during the Samba 3 development cycle as a replacement for smbpasswd. From perspective of the root user pdbedit is capable of all operations that smbpasswd can do as well as a superset of them (manage account security and policy settings). The 'native' format for storing Samba credentials for pdbedit is tdbsam - Trivial DB based password storage backend. On RedHat based distros the default file path is /var/lib/samba/private/passdb.tdb.

The issue with pdbedit is that it can only be used by root, while smbpasswd can be used by regular users to change their Samba passwords in a way similar to what passwd command does for Linux system accounts. So my understanding is that as of Samba 4 the job of user management is passed to pdbedit and smbpasswd is left there for non-root users to be able to change their passwords (though root can still use smbpasswd to manage Samba credentials store in a limited manner).


From the pbdedit man page:

excerpt

The pdbedit tool uses the passdb modular interface and is independent from the kind of users database used (currently there are smbpasswd, ldap, nis+ and tdb based and more can be added without changing the tool).

While the smbpasswd man page:

excerpt

By default (when run with no arguments) it will attempt to change the current user's SMB password on the local machine. This is similar to the way the passwd(1) program works. smbpasswd differs from how the passwd program works however in that it is not setuid root but works in a client-server mode and communicates with a locally running smbd(8). As a consequence in order for this to succeed the smbd daemon must be running on the local machine. On a UNIX machine the encrypted SMB passwords are usually stored in the smbpasswd(5) file.

So pbdedit can manipulate a variety of Samba password backends, while smbpasswd can only manipulate that type of backend.

Tags:

Samba

Passwd